b'                                Theodore W. Grolimund\n                          Certified Information Systems Auditor (CISA)\n                  Certified Information Systems Security Professional (CISSP)\n\nP.O. Box 6561                                                     Alexandria, VA 22306-6561\n703-660-6092                                                             theodoreg@aol.com\n\n    Year 2000 Internal Efforts: Certification & Contingency Planning Status\n\n\n                                    Executive Summary\n.\nThe Securities and Exchange Commission (SEC), Office of Inspector General (OIG)\nengaged the services of a certified information systems (CIS) auditor to perform agreed-\nupon procedures on SEC\xe2\x80\x99s certification process for internal mission critical systems and\nfor reviewing internal contingency planning efforts for the Year 2000 (Y2K). These\nagreed-upon procedures were performed solely to assist the OIG in evaluating internal\ncertification processes and contingency planning efforts within the Commission.\n\nThe agreed-upon procedures were to:\n\xe2\x80\xa2 Evaluate the certification processes of internal mission critical applications,\n\xe2\x80\xa2 Perform limited inquiries on contingency planning activities over internal information\n   technology (IT) systems maintained by the Office of Information Technology (OIT),\n   and\n\xe2\x80\xa2 Perform limited inquiries to SEC\xe2\x80\x99s Y2K Project Coordinator within the Office of the\n   Executive Director (OED) on business contingency planning activities in the event of\n   internal IT system interruptions.\n\nThe audit scope intentionally does not cover any Y2K aspects of the securities industry\nfor which the SEC has oversight authority. In addition, no opinion is offered on the\nsufficiency of evidence to support any SEC system as Year 2000 compliant, nor is any\nopinion being given to certify any SEC system as Year 2000 compliant.\n\nResults In Brief:\n\n\xe2\x80\xa2     The Commission is making progress in certifying its systems.\n\xe2\x80\xa2     The concepts behind certification support good management practices.\n\xe2\x80\xa2     In regards to Y2K compliance status and contingency planning activities, we obtained\n      a copy of a letter from an independent contractor that indicated to the Chairman on\n      September 2, 1999, the following:\n      \xe2\x87\x92 As of August 31st, 1999, the SEC has successfully completed the Year-2000 (Y2K)\n          renovation and validation of the Commission\xe2\x80\x99s automated information systems.\n          All mission-critical systems and other operational-support systems, intended to\n          operate in the Y2K timeframe, are now fully Y2K compliant in accordance with\n          General Accounting Office (GAO) guidelines,\n\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status   December 10, 1999\n\x0c                                                                                                         2\n\n\n         \xe2\x87\x92 Y2K compliant systems have either been placed into full production or are on\n            schedule to complete the transition to full production,\n         \xe2\x87\x92 An initial baseline set of contingency plans related to SEC mission-critical\n            systems has been completed, and\n         \xe2\x87\x92 During November 1999, these contingency plans will be validated and\n            promulgated across the Commission.\n   \xe2\x80\xa2     A readiness test of the EDGAR backup site was performed on August 21, 1999. The\n         EDGAR contractor concluded that the EDGAR back-up site was properly configured\n         and provides a back-up capability for the production system.\n   \xe2\x80\xa2     During the audit, SEC\xe2\x80\x99s Year 2000 Contingency Plan1 and OIT\xe2\x80\x99s contingency plans\n         were still being refined. Additional testing by the Commission is planned.\n\nRecommendations in Brief:\n\n   \xe2\x80\xa2 The Executive Director and the Chief Information Officer should ensure that business\n   and information technology contingency plans are tested (i.e. validated) as planned prior\n   to the Year 2000.\n\nFor the long term, the Commission should maintain and build upon the accomplishments of\n   the Y2K effort to improve overall management of SEC\xe2\x80\x99s information resources. The\n   lessons learned from the Y2K effort should be used to guide the development of policies\n   and procedures to support best practices.\n\n   \xe2\x80\xa2     The Executive Director and Chief Information Officer (CIO) should ensure that\n         appropriate policies and procedures are implemented to maintain and test business\n         and information technology contingency plans,\n   \xe2\x80\xa2     Jointly, the CIO and Executive Director should issue Commission-wide policies and\n         procedures to identify and assign system and data ownership roles and\n         responsibilities,\n   \xe2\x80\xa2     The CIO should implement policies and procedures to authorize and revalidate\n         system processing,\n   \xe2\x80\xa2     The CIO should continue sponsoring the certification process of the remaining\n         uncertified systems, and\n   \xe2\x80\xa2     The CIO should implement policies and procedures to improve system life cycle\n         management (i.e. change-controls, configuration management, quality assurance).\n\n   Observations and recommendations are listed in the Audit Results section of the report.\n   A draft of the report was provided for comment to OIT, the Office of the Executive\n   Director (OED) and OIG on November 2, 1999. Various comments were received and\n   the report was modified as appropriate.\n\n   Scope & Methodology\n\n   1\n       SEC\xe2\x80\x99s Year 2000 Contingency Plan is sponsored within the Office of the Executive Director.\n\n\n    SEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status         December 10, 1999\n\x0c                                                                                               3\n\n\nThe Securities and Exchange Commission (SEC), Office of Inspector General (OIG)\nengaged the services of a certified information systems auditor. The CIS auditor\nperformed agreed-upon procedures on SEC\xe2\x80\x99s certification process for internal mission\ncritical systems and reviewing internal contingency planning efforts for the Year 2000\n(Y2K). These agreed-upon procedures were performed solely to assist the OIG in\nevaluating internal certification processes and contingency planning efforts within the\nCommission. No representation regarding the sufficiency of these agreed upon\nprocedures is being made.\n\nThe agreed-upon procedures were to:\n\xe2\x80\xa2 Evaluate the certification processes using a judgmental sample of internal mission\n   critical applications,\n\xe2\x80\xa2 Perform limited inquiries on contingency planning activities over internal information\n   technology (IT) systems maintained by the Office of Information Technology (OIT),\n   and\n\xe2\x80\xa2 Perform limited inquiries to SEC\xe2\x80\x99s Y2K Project Coordinator within the Office of the\n   Executive Director (OED) on business contingency planning activities in the event of\n   internal IT system interruptions.\n\nProcedures included interviewing key OIT and OED personnel, reviewing relevant\npolicies and documentation, and reviewing prior OIG reports and recommendations that\nmay be applicable to this audit. To assist the evaluation of the certification process a\njudgment sample was used. This judgmental sample represents the 53 internal mission\ncritical systems reported in SEC\xe2\x80\x99s June 1998 report to Congress (Second Report on the\nReadiness of the Unites States Securities Industry and Public Companies To Meet the\nInformation Processing Challenges of the Year 2000). In addition, GAO\xe2\x80\x99s publications\nentitled Year 2000 Computing Crisis: A Testing Guide (GAO/AIMD-10.1.21) and Year\n2000 Computing Crisis: Business Continuity and Contingency Planning (GAO/AIMD-\n10.1.19) were obtained to identify applicable best practice criteria. Office of Management\nand Budget\xe2\x80\x99s (OMB) Circular A-130 was also used as best practice criteria.\n\nNo opinion is being given on the sufficiency of evidence to support any SEC system as\nYear 2000 compliant, nor is any opinion being given to certify any SEC system as Year\n2000 compliant. In addition, the audit scope intentionally excludes any Y2K aspects of\nthe securities industry for which the SEC has oversight authority.\n\nThis engagement was performed in accordance with the General Accounting Office\xe2\x80\x99s\nGovernment Auditing Standards and standards established by the Information Systems\nAudit Control Association (ISACA). The fieldwork was performed from September 2nd,\n1999, through October 28th, 1999. This report is intended solely for the information and\nuse of the SEC OIG and management, however this report is a matter of public record\nand its distribution is not limited.\n                                      Background\n\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status   December 10, 1999\n\x0c                                                                                                 4\n\n\nThe Office of Inspector General (OIG), United States Securities and Exchange\nCommission initiated a series of reports and memoranda on the Commission\xe2\x80\x99s efforts to\nreduce internal Year 2000 (Y2K) vulnerabilities. The OIG in its continuing efforts on the\nYear 2000 problem engaged the services of a certified information systems (CIS) auditor\nunder Purchase Order No. PCHQ9906252 to complete the OIG\xe2\x80\x99s Year 2000 audit efforts.\n\nPreviously, the OIG issued the following reports on the Year 2000 problem: Audit\nMemorandum No. 8 (May 18, 1998); Year 2000 Compliance (Audit Report No. 285 -\nAugust 24, 1998); Year 2000 Status Report (Audit Report No. 293 - January 25, 1999);\nand EDGAR Y2K Status (Audit No. 297 - March 19, 1999). The OIG also contracted\nwith an independent CPA firm to audit non-information technology areas for Y2K\ncompliance over embedded systems such as elevators, building and fire security systems\n(Audit No. 291-Year 2000 Non-Information Technology, August 9, 1999).\n\nAn independent contractor performing IV&V (independent verification and validation)\nactivities sent a letter to the Chairman which indicated in-part that:\n\xe2\x80\xa2 as of August 31st, 1999, the Commission had successfully completed Y2K renovation\n    and validation of the Commission\xe2\x80\x99s automated information systems,\n\xe2\x80\xa2 all mission-critical systems and other operational-support systems, intended to\n    operate in the year 2000, were now fully Y2K compliant, in accordance with GAO\n    guidelines, and\n\xe2\x80\xa2 Y2K compliant systems had either been placed into full production or were on\n    schedule to complete the transition to full production.\n\nAs implemented at the SEC, Y2K compliance and Y2K certification are not synonymous.\nY2K compliance indicates that Y2K testing and applicable remediation occurred,\nwhereas certification indicates that the system owner has accepted the system. As\noriginally conceived in SEC\xe2\x80\x99s Year 2000 Program Management Plan, certification was to\nbe part of the Y2K compliance process indicating (see Section 3.4.8) that \xe2\x80\x9cthe\napplication owner will complete the certification and will sign, along with the certifying\nofficial that the application is Y2K compliant and ready for implementation into the\nproduction environment.\xe2\x80\x9d Certification was intended to take place after Y2K testing but\nbefore putting a system into production. Subsequently, the Plan was superseded (as\nexplained below) whereby Y2K certifications of Y2K compliant systems would take\nplace generally after the systems were in production. Consequently, Y2K compliance\nand Y2K certification have different connotations. An uncertified application or system\ndoes not necessarily imply that it is not Y2K compliant.\n\nThe Chief Information Officer and other senior officials within the Office of Information\nTechnology (OIT) indicated the Year 2000 Program Management Plan was superseded\ndue to operational demands in January 1999 when the Chairman directed widespread\ntesting and remediation of all systems by August 31st, 1999, with the full understanding\namong system owners and other senior Commission officials that documentation\nincluding certification would occur as soon as practicable thereafter. The Commission\xe2\x80\x99s\n\n2\n    Purchase Order Number PCH0990625 issued on June 8, 1999, includes non-related Y2K work.\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status     December 10, 1999\n\x0c                                                                                                        5\n\n\nY2K compliance effort included figuratively thousands of hardware and software items.\nThe table below provides a brief summary of items involved. EDGAR, the\nCommission\xe2\x80\x99s premier and most critical system is included as one of the 187 software\napplications.\n\n                     Summary of Y2K Compliance Efforts\n            Infrastructure:  2,915 Windows or OS/2 workstations\n                             1,067 laptops\n                             145 servers\n                             152 network components retired\n            Software:        187 applications\n                             593 commercial or governmental products\n                             including 190 mainframe software products\n            External:        69 data file exchanges with 24 partners\n                             72 commercial services (e.g. Bloomberg)\n                Source: Data obtained from the SEC\xe2\x80\x99s Office of Information Technology.\n\n\n\n\nTo help ensure that Commission systems remained Y2K compliant, the Executive\nDirector issued a memo reminding Division Directors, Office Heads, Regional Directors\nand District Administrators that Y2K compliance must be maintained and stressed the\nimportance of making no major changes to software applications, operational\nenvironment, telecommunications, and infrastructure until March 2000.\n\nIn its comments, OIT management described numerous positive aspects to SEC\xe2\x80\x99s Y2K\ncompliance program which include:\n\xe2\x80\xa2 senior Commission officials including the Chairman were regularly briefed on\n    program status,\n\xe2\x80\xa2 communications between the Y2K team and program offices on their specific systems\n    were held on a regular basis,\n\xe2\x80\xa2 the IV&V contractor role was appropriately increased to address the expanded scope\n    of testing, and\n\xe2\x80\xa2 the goal established by the Chairman for Y2K compliance was met.\n\n                                           Audit Results\nI. Certification Process\n\nAs indicated in the \xe2\x80\x9cBackground\xe2\x80\x9d section, the certification of systems would occur as\nsoon as practicable after August 31st, 1999.\n\nBased on a sample of 53 mission critical applications, the Commission is making\nprogress to certify its systems. Only seven systems were certified as of August 28, 1999.\nAs of October 22, 1999, the number of certified systems increased to 23. See table for\nthe certification status of the judgmental sample.\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status            December 10, 1999\n\x0c                                                                                                                 6\n\n\n\n\n                               Judgment Sample\n               Certification Status of 53 Mission Critical Applications\n                                        (As of October 22, 1999)\n               Certified                                                    23\n               Pending Certification                                        20\n               Retired without replacement                                   9\n               Dropped                                                       1\n                Source:   Prepared by CIS auditor under contract by Office of Inspector General\n\n\n\n\nThe certification process entails the preparation of a certification packet by OIT that\ndocuments in brief certification recommendations; Y2K test results, exceptions and\ndiscrepancies; and forwarding the certification packet for system acceptance by the\nsystem owner, Y2K Project Director within the Office of the Executive Director, and\nOIT\xe2\x80\x99s Y2K Director.\n\nIn the auditor\xe2\x80\x99s opinion the concept behind certification support good management\npractices. These management practices include: authorization and validation of a system\nto process in a production status, promoting accountability by identifying and assigning\nspecific owner(s) to each system, promoting an understanding of owner(s) roles and\nresponsibilities over their system and the data it processes. Certification is one of many\nactivities that can be leveraged from the Y2K effort to strengthen the management of\nCommission information resources for the long term.\n\nRecommendations:\n\nA. The Chief Information Officer (CIO) should continue sponsoring the Y2K\n   certification process of the remaining uncertified systems.\nB. The CIO should issue Commission-wide policy to authorize and revalidate system\n   processing by system owners at least once every three years or whenever a major\n   systemic change occurs, whichever happens sooner.\nC. Jointly, the CIO and Executive Director should develop and issue Commission-wide\n   policies and procedures to identify and assign system and data ownership roles and\n   responsibilities.\n\nII. Business Continuity and Contingency Planning Efforts\n\nBased on the CIS auditor\xe2\x80\x99s limited inquiries to the Y2K Project Director and to OIT\nmanagement, the SEC is progressing in developing its internal contingency plans. An\noverall SEC Year 2000 Contingency Plan is being sponsored by the Y2K Project\nDirector within the OED and information technology contingency plans are being\nsponsored within the OIT. During the audit\xe2\x80\x99s field work, these plans were being refined.\nNo opinion is expressed on the sufficiency of these plans.\n\n\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status                     December 10, 1999\n\x0c                                                                                               7\n\n\nAn independent contractor, in a letter dated September 2, 1999, indicated that an initial\nbaseline set of contingency plans related to SEC mission-critical applications has been\ncompleted and that during November 1999, these plans will be validated and\npromulgated across the Commission.\n\nThe auditor obtained a test analysis report for the EDGAR back-up site (dated September\n23, 1999). The test was conducted on August 21, 1999, and based on the test results the\nEDGAR contractor concluded that the back-up site was properly configured and provides\na back-up capability for the production system.\n\nThe Commission intends to perform additional contingency testing. Good business\npractices indicate that business continuity and contingency plans should be tested.\nUntested plans can lead to a false sense of security.\n\n\nRecommendation:\n\nD. The Executive Director and Chief Information Officer should ensure business and\n   information technology contingency plans are tested (i.e. validated) as planned prior\n   to the Year 2000.\n\nIII. Other Issues\n\nThe Y2K project has involved significant resources, much work and many issues.\nAmong them were identification and inventorying of systems, identification of system\nowners, strengthening system life cycle management (i.e. change controls, configuration\nmanagement, quality assurance), and the development of information technology and\nbusiness continuity plans.\n\nThe accomplishments and benefits of the Y2K effort can and should be leveraged to\nstrengthen overall management of SEC\xe2\x80\x99s information resources. The lessons learned\nfrom the Y2K effort can be used to develop or tailor practices and guide the development\nof appropriate policies and procedures in support of best practices. These\naccomplishments should be maintained by instituting and following appropriate policies\nand procedures.\n\nRecommendations:\n\nE. To maintain and strengthen the accomplishments brought about by SEC\xe2\x80\x99s Y2K effort,\n   the Chief Information Officer should implement appropriate policies and procedures\n   over system life cycle management (i.e. change controls, configuration management,\n   quality assurance).\n\nF. The Executive Director and Chief Information Officer (CIO) should ensure that\n   appropriate policies and procedures are implemented to maintain and test business\n   and information technology contingency plans.\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status   December 10, 1999\n\x0c                                                                                               8\n\n\n\n\n                                           Appendix\n                                       List of Acronyms\n\n\nEDGAR-          Electronic Data Gathering, Analysis, and Retrieval\n\nGAO -           General Accounting Office\n\nIV&V -          Independent Verification and Validation\n\nOED -           Office of Executive Director\n\nOIG -           Office of Inspector General\n\nOIT -           Office of Information Technology\n\nOMB -           Office of Management and Budget\n\nSEC -           U.S. Securities and Exchange Commission\n\n\n\n\nSEC\xe2\x80\x99s Year 2000 Internal Efforts: Certification & Contingency Planning Status   December 10, 1999\n\x0c'